PRIVATE-VLAN’s

A customer stated they were getting results they didn’t expect while configuring Private Vlan’s during practice labs. To help show how private-vlan’s should be configured and the results you should expect I have put this post up here.

First the feature.

Private VLANs provide the functionality to restrict communication among members of a particular VLAN. The purpose of this is to protect devices in the event of a security breach. By limiting the communication on a VLAN, if a security breach occurs, a device that is compromised will be unable to communicate directly with other devices.   (If in an isolated VLAN, or a limited number of devices if in a Community VLAN). Thus you have provided a second line of defense on the network. Its purpose is to help mitigate security threats.

Not all Cisco devices support the feature. In particular, in relation to the lab, the Catalyst 3550′s do not support the private-vlan feature. The Catalyst 3560′s do support it. You can get the full list of devices that support this feature by referring to the following matrix.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

Now that we understanding the purpose of private-vlans lets go through a basic configuration. We will, in the end, also test the configuration to verify the results are as expected.

vlan 10
private-vlan isolated
!
vlan 20
private-vlan community
!
vlan 100
private-vlan primary
private-vlan association 10,20
!
interface FastEthernet0/6
switchport private-vlan host-association 100 10
switchport mode private-vlan host
!
interface FastEthernet0/7
switchport private-vlan host-association 100 20
switchport mode private-vlan host
!
interface FastEthernet0/8
switchport private-vlan host-association 100 20
switchport mode private-vlan host
!
interface FastEthernet0/9
switchport private-vlan host-association 100 10
switchport mode private-vlan host
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
shutdown
!
interface GigabitEthernet0/1
switchport private-vlan mapping 100 10,20
switchport mode private-vlan promiscuous

I have parsed out the irrelevant configuration and only shown the configuration as it applies to private-vlan configuration.

So Cat1 Gi0/1 is configured as the Promiscuous device. R7 and R8 are members of the community VLAN 20 and R6 and R9 are members of their isolated VLAN 10.

We can see that this is functionally working with the command “show vlan private-vlan”

Cat2#sh vlan private-vlan
Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------
100 10 isolated Fa0/6, Fa0/9, Gi0/1
100 20 community Fa0/7, Fa0/8, Gi0/1

Cat2#
Cat2#sh int trunk

Cat2#

You can see above that R6 and R9 ports are associated with VLAN 10 and R7 and R8 are associated with VLAN 20.

I also used the output of show interface trunk to show that these VLANs are not being shared with another switch that would affect the results of this test. Cat2 is completely isolated from all the rest of the layer 2 topology.

Next is testing communication from each device. So first R6

R6(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R6(config-if)#do ping 10.1.1.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
R6(config-if)#do ping 10.1.1.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
R6(config-if)#do ping 10.1.1.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.9, timeout is 2 seconds:
....
Success rate is 0 percent (0/4)
R6(config-if)#

So R6 can ping Cat2 and none of the other devices. This is expected as it is a member of an isolated VLAN. It can only communicate with the promiscuous port.

And if we look at the ARP table we will also see that the only address mappings he is receiving is what he is able to communicate with.

R6(config-if)#do sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.8 0 Incomplete ARPA
Internet 10.1.1.9 0 Incomplete ARPA
Internet 10.1.1.1 2 000b.be91.5500 ARPA FastEthernet0/0
Internet 10.1.1.6 - 001b.d50f.f3a0 ARPA FastEthernet0/0
Internet 10.1.1.7 0 Incomplete ARPA
R6(config-if)#

R7 we will have very similar results but R7 is a member of the community private-vlan so he will also be able to ping R8

R7(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R7(config-if)#do ping 10.1.1.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R7(config-if)#do ping 10.1.1.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.6, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
R7(config-if)#do ping 10.1.1.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.9, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
R7(config-if)#do sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.8 3 001b.d518.40e0 ARPA FastEthernet0/0
Internet 10.1.1.9 0 Incomplete ARPA
Internet 10.1.1.1 0 000b.be91.5500 ARPA FastEthernet0/0
Internet 10.1.1.6 0 Incomplete ARPA
Internet 10.1.1.7 - 001b.d50f.f280 ARPA FastEthernet0/0
R7(config-if)#

R8 and R9 are going to have the same results as their relative partner. R8 is in the community VLAN and R9 is in the isolated VLAN.

R8(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R8(config-if)#do ping 10.1.1.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R8(config-if)#do ping 10.1.1.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R8(config-if)#do ping 10.1.1.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.9, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R8(config-if)#
R8(config-if)#do sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.8 - 001b.d518.40e0 ARPA FastEthernet0/0
Internet 10.1.1.9 0 Incomplete ARPA
Internet 10.1.1.1 0 000b.be91.5500 ARPA FastEthernet0/0
Internet 10.1.1.6 0 Incomplete ARPA
Internet 10.1.1.7 6 001b.d50f.f280 ARPA FastEthernet0/0
R8(config-if)#

R9(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R9(config-if)#do ping 10.1.1.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.6, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
R9(config-if)#do ping 10.1.1.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
R9(config-if)#do ping 10.1.1.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
R9(config-if)#do sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.8 0 Incomplete ARPA
Internet 10.1.1.9 - 001b.d517.be00 ARPA FastEthernet0/0
Internet 10.1.1.1 0 000b.be91.5500 ARPA FastEthernet0/0
Internet 10.1.1.6 0 Incomplete ARPA
Internet 10.1.1.7 0 Incomplete ARPA
R9(config-if)#

Everything is operating as expected

So we can see from above that the communication worked as we expected it to and ARP resolution is only shown for the devices that each device should be able to reach.

For my last test I will shutdown port G0/1 on Cat1 and test again from R7

R7(config-if)#do ping 10.1.1.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R7(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R7(config-if)#do sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.8 8 001b.d518.40e0 ARPA FastEthernet0/0
Internet 10.1.1.1 1 000b.be91.5500 ARPA FastEthernet0/0
Internet 10.1.1.7 - 001b.d50f.f280 ARPA FastEthernet0/0
R7(config-if)#

Results as expected. I can ping the other member of the community VLAN but I am unable to ping the promiscuous port as it is administratively down.

If you are having different results than what I have shown above please provide more details about your configuration

Here is the configuration from the test above.

Tyson Scott

CCIE #13513 R&S and Security

Technical Instructor – IPexpert, Inc.

Mailto:  tscott@ipexpert.com

IPexpert – The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications

Tags: CCIE, Private VLAN, Routing & Switching, Tech Note